The present invention relates generally to cryptography, and more particularly, to a method and system for timed-release public key encryption of data.
Timed-release cryptography is a method for encrypting data such that the encrypted data cannot be decrypted by the intended recipients until a desired release time in the future. Timed-release cryptography can be used in many applications including, e-commerce, sealed bids, press releases, pay-per-view videos, etc. In such applications, a sender typically sends encrypted data, for example a document, to a receiver without allowing the receiver to decrypt the encrypted data until a desired release time.
One known method for timed-release cryptography is xe2x80x9ctime-lock puzzle,xe2x80x9d which is described in R. C. Merkle, xe2x80x9cSecure Communications Over Insecure Channels,xe2x80x9d Communications of the ACM, volume 21, pp. 291-299, April 1978, and in R. Rivest et al., xe2x80x9cTime-Lock Puzzles and Timed-Release Crypto,xe2x80x9d http://theory.lcs.mit.edu/xcx9crivest/publications.html. Using the time-lock puzzle method described in Merkle and Rivest et al., a sender desiring to send data to a receiver encrypts the data such that the average minimum computational time required for any computer to decrypt the encrypted data equals a desired release time. The sender then sends the encrypted data to one or more receivers. At the release time, the sender then sends to the receivers a key for decrypting the encrypted data.
One disadvantage of this method is that a receiver might have the computational capacity to decrypt the encrypted data before the average minimum computational time. A second disadvantage is that since each receiver in a system might have different computational capacities an encrypted data may not be decrypted by all receivers at the same time. For example, a receiver with a particular processing capacity might decrypt the encrypted data before a receiver that has a lesser processing capacity.
Another known method for timed-release cryptography is a xe2x80x9ctime-server method.xe2x80x9d Using this method, a sender desiring to send data to a receiver sends the data to a time server, which functions as an escrow agent for storing the data until the desired release time. At the release time, the time server then releases the data to the receiver. This method is not scalable for large systems, however, because the time server must store data received from all senders in the system. Also, this method does not guarantee a private communication between the sender and the receiver since the identity of the sender, the receiver, the data, and the release time must be revealed to the time server.
Rivest et al. describes an improved time-server method, where a time server uses the iterates of a one-way function (or a public key sequence) and publishes the next iterate value after a period of time. Using this method, a sender desiring to send timed-release data to one or more receivers sends the data to a time server, where the time server encrypts the data (or a key to an encryption of the data) with a private key and sends the encrypted data to the receivers. The time server then publishes the private key at the release time so that the receivers can decrypt the encrypted data.
This method suffers from at least two disadvantages: first, it is not scalable for large systems or systems with long runtimes since the time server has to generate and publish a large number of keys. Second, this method does not guarantee a private communication between the sender and the receivers since the identity of the sender and the desired release time must be revealed to the time server.
Thus, it is desired to provide a method and system for timed-release cryptography, which overcome the above and other disadvantages of the prior art.
Accordingly, methods and systems consistent with the present invention encrypt data in a timed-release fashion such that a receiver based on information exchanged with a server decrypts the encrypted data only at or after a release time without revealing to the server any information about the data, the sender that encrypted the data, and the release time. Furthermore, such methods and systems decrypt the encrypted data without establishing communication between the sender and the server. Moreover, such methods and systems significantly reduce the amount of communication between the sender and the receiver and between the server and the receiver.
In one embodiment, a system comprises a sender, a receiver, and a server. When the sender desires to send encrypted data in a timed-release fashion to the receiver, the sender encrypts the data such that the receiver, based on information exchanged with the server, decrypts the encrypted data only at or after a release time without revealing to the server any information about the sender and the data.
When the sender desires to send encrypted data in a timed-release fashion to the receiver, the sender encrypts a key and a release time based on the public key of the server. The sender encrypts the data based on the encrypted key, and sends to the receiver the encrypted key, the encrypted release time, and the encrypted data. When the receiver desires to decrypt the encrypted data, the receiver sends the encrypted key and the encrypted release time to the server.
The server decrypts the encrypted key and the encrypted release time using its private key. If the server determines that the current time is less than the release time, the server does not send the decrypted key to the receiver, and thus, the receiver fails to decrypt the encrypted data. However, if the server determines that the current time is greater than or equal to the decrypted release time, the server sends the decrypted key to the receiver. The receiver then uses the decrypted key to decrypt the encrypted data. Accordingly, the receiver successfully decrypts the encrypted data at or after the release time without revealing to the server any information about the sender and the data.
In another embodiment, when a sender desires to send encrypted data in a timed-release fashion to a receiver, the sender encrypts the data such that the receiver, based on information exchanged with a server, decrypts the encrypted data only at or after a release time without revealing to the server any information about the sender, the data, and the release time.
The sender encrypts a key and the release time based on the public key of the receiver. The sender then encrypts the data based on the encrypted key. The sender encrypts a concatenation of the encrypted key and the encrypted release time based on the public key of the server, and sends to the receiver the encrypted concatenation, the encrypted data, and the encrypted release time.
When the receiver desires to decrypt the encrypted data, the receiver sends the encrypted concatenation and the encrypted release time to the server. Using its private key, the server decrypts the encrypted concatenation to determine the encrypted key and the encrypted release time. The server encrypts the current time and determines a condition as a function of the encrypted key, the encrypted current time, the encrypted release time. Using a conditional oblivious transfer method, the server then sends the condition to the receiver.
If the current time is less than or equal to the release time, the receiver fails to determine the encrypted key based on the condition received from the server, and thus, fails to decrypt the encrypted data. However, if the current time is greater than or equal to the release time, the receiver determines the encrypted key based on the condition and uses the encrypted key to decrypt the encrypted data. Accordingly, the receiver decrypts the encrypted data without revealing to the server any information about the sender, the data, and the release time.
The description of the invention and the following description for carrying out the best mode of the invention should not restrict the scope of the claimed invention. Both provide examples and explanations to enable others to practice the invention. The accompanying drawings, which form part of the description for carrying out the best mode of the invention, show several embodiments of the invention, and together with the description, explain the principles of the invention.